[Pdns-dev] DS RRs do not validate

James Cloos cloos at jhcloos.com
Sat Apr 23 20:24:30 CEST 2011


>>>>> "bh" == bert hubert <bert.hubert at netherlabs.nl> writes:

bh> Maybe something else is going on. Can you show 'pdnssec show-zone
bh> jhcloos.us'?  It only shows public keying material.

I enabled narrow since I posted and added per-zone salts:

:; pdnssec_static show-zone jhcloos.us
Zone has NARROW hashed NSEC3 semantics, configuration: 1 1 1 cbc52e2d3584bdbe
Zone is not presigned
keys: 
ID = 42 (KSK), tag = 23900, algo = 8, bits = 2048       Active: 1
KSK DNSKEY = jhcloos.us IN DNSKEY 257 3 8 AwEAAdDnaycbNggeRGm1GhMhIiP33JGfvp38qlt1KZlnTMeW/4CaVMTCpIG8F2di+G2/HS/n3OBOWh2JWpCMFwkW3KSfOV4b0ZViRqPGdiha/JTXWKY45/CNZISX+oDm22pVY2Gi6K7bvQl0vOk6NHljV5ZochKBg4i27egAHxksqZe2PHr1I2pXqFFua+dCPgStpyQmtg95utYlJKyQDY5GQ1j7P8R8kSYFMl85ej4/kwW0/PNieeZL/H5o2KfI0euoGXgMDn0fiBSlEPM6H8JTuc4JWIoGOmd7hhPupMlcQLIBGFy7R1pQbuRPk4WpKTwkOEIIpHVqAtvuRkk/SK25n0U=
DS = jhcloos.us IN DS 23900 8 1 a00d0b5c2d72b86fc636289ce0ac9f1ef4e3830d
DS = jhcloos.us IN DS 23900 8 2 4713604b388fd3310c1cc7e01f43e0a8dc56f7b2d69de77ed5a72a5d627bf517
DS = jhcloos.us IN DS 23900 8 3 7ee1b473358e3b1fcc25159cfe7bae288c5689def5e8ddb2a9942e34b51b55c7

ID = 34 (ZSK), tag = 47145, algo = 8, bits = 1024       Active: 1

bh> If you use the 'dig' command line suggested by the wiki, which verifies
bh> using the plain DNSKEY and not the DS, does that work?

:; dig +dnssec +sigchase +trusted-key=./trusted-keys -t MX jhcloos.us @localhost
;; RRset to chase:
jhcloos.us.             86400   IN      MX      10 pao.uu.jhcloos.net.


;; RRSIG of the RRset to chase:
jhcloos.us.             86400   IN      RRSIG   MX 8 2 86400 20110504235936 20110420235936 47145 jhcloos.us. MqBfg8QM0rGVVMrICOu+YgKaIPSM+XXsdXdPGA978dBJgtNeXNgGF6nB GN2SA693ea8lfV6aqalU2jacqCT8oB70tixPNrFKR3yEC9mzc5VU1CoY TjLHbrV/XWkEVH49GzPni6wEvniglTljDhC48Voj1lSlTvPYGtNnWpIs fgY=



Launch a query to find a RRset of type DNSKEY for zone: jhcloos.us.

;; DNSKEYset that signs the RRset to chase:
jhcloos.us.             3600    IN      DNSKEY  256 3 8 AwEAAcg4OMrNzwLJLmaz/Xw2mYWZ2Po5+Fm0w+xi+0TEkaTWtnFhwTlT 6eSK4hEDKsn1xBXb/aCfNPb2bRd+scovwGbasnI3rJhpMVa+rV6XSAQP j575C9/P51XZDOxGzXyx5bIghZMUigmEQkehcWwGPqEHUi/w0xxcFUam r8FUwxDL
jhcloos.us.             3600    IN      DNSKEY  257 3 8 AwEAAdDnaycbNggeRGm1GhMhIiP33JGfvp38qlt1KZlnTMeW/4CaVMTC pIG8F2di+G2/HS/n3OBOWh2JWpCMFwkW3KSfOV4b0ZViRqPGdiha/JTX WKY45/CNZISX+oDm22pVY2Gi6K7bvQl0vOk6NHljV5ZochKBg4i27egA HxksqZe2PHr1I2pXqFFua+dCPgStpyQmtg95utYlJKyQDY5GQ1j7P8R8 kSYFMl85ej4/kwW0/PNieeZL/H5o2KfI0euoGXgMDn0fiBSlEPM6H8JT uc4JWIoGOmd7hhPupMlcQLIBGFy7R1pQbuRPk4WpKTwkOEIIpHVqAtvu Rkk/SK25n0U=


;; RRSIG of the DNSKEYset that signs the RRset to chase:
jhcloos.us.             3600    IN      RRSIG   DNSKEY 8 2 3600 20110504235936 20110420235936 23900 jhcloos.us. VUx4UfIP4R6f44HLXXPBxDCnlSVyUbWgiuuMC/C1m1rLuuv1MbVMewEN 3PTew95U38LWn+eI3uZkZe0pgfHlRCV7UUE4+tOYP+gNuCzqnqVGFExs fWEMjHIOv2A7tJqjnm05BwV0uiyNh4uwltrDFpcOwF7T4XsVJXxqV9Oz 5qllWnM+ppcuzAJFL4XR4kab8dlhHcsh/kB3fzVovEqPAJZDmQg5cgIO nfGy/UdbRbmB5fAdDMVukEBjb0u9ktJsO6bfSirV6+n6PcdEk+MQG+3i SKRU+p2pKOolGWqeaeTzT1T1/+EZ497wIEEOab2TxoPmlWVfA4FHSpfD ID1Fsw==



Launch a query to find a RRset of type DS for zone: jhcloos.us.
;; NO ANSWERS: no more

;; WARNING There is no DS for the zone: jhcloos.us.



;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; VERIFYING MX RRset for jhcloos.us. with DNSKEY:47145: RRSIG failed to verify
;; No DNSKEY is valid to check the RRSIG of the RRset: FAILED

So that fails, too.

I tried a number of such dig calls; all failed the same way.

-JimC
-- 
James Cloos <cloos at jhcloos.com>         OpenPGP: 1024D/ED7DAEA6


More information about the Pdns-dev mailing list